Listing Description

Role Overview:

In this role, the Staff Application Security Engineer will work closely with the security and engineering teams to ensure that security is integrated into the software development lifecycle. They will also be responsible for developing and maintaining SDLC policies and procedures, as well as conducting application security training for engineers.

The ideal candidate will have excellent communication skills, as they will be responsible for working with a variety of teams and individuals across the organization. They should also be highly organized and able to manage multiple tasks and priorities effectively.

Responsibilities: 

What initiatives you’ll  be involved in:

• Triage and prioritize application security vulnerabilities. Work with Engineering to schedule mitigations.


• Operate all aspects of a private bug bounty program, including tracking of spends and  MTTM (mean time to mitigation) of security vulnerabilities.


• Develop internal AppSec review processes.


• Build and conduct secure coding training for all developers.


• Mentor and train security champions throughout Engineering.


• Implement automated, proactive security measures (e.g., SAST/DAST).


• Develop a secure SDLC process and communicate the process to Engineering.


• Collaborate with external-facing security communications teams when possible/feasible (e.g., blog posts, security vulnerability disclosures, etc.).

Qualifications:

What you bring to the role:

• At least 3-5 years of direct experience either working on or leading an application security team.


• Experience conducting internal application security reviews.


• Experience with vulnerability disclosure programs.


• Experience with building/measuring metrics and KPIs to track security mitigations.


• Experience with source code repositories, CI/CD pipelines, and associated security tooling (e.g., GitHub, GitLab, etc).


• Experience developing and communicating Secure SDLC processes.


• Experience working with SAST/DAST and related tools (e.g., Synopsys, Veracode, GitLab Secure, GitHub Advanced Security, etc.).


• Experience with threat modeling methodologies (e.g., STRIDE).


• Experience with Java and Python secure coding assessments.

Nice to Haves:

• Experience with cloud-native pre-IPO startup companies.


• Experience with AWS security services and tooling.

About you:

• Able to succeed in a remote, globally-distributed work environment.


• Highly organized, and able to triage and prioritize numerous issues and projects.

Performance indicators:

• Mean time to mitigation for security vulnerabilities


• Internal application security reviews conducted


• Reduction in similar classes of security vulnerabilities over time